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Ly, Cheyne 
From: Ly, Cheyne 

Sent: Thursday, September 14, 2006 12:11 PM 
To: 'Ellen Baker 1 

Subject: RE: 10/613660 Proposed claim amendments v3 (Our File: 03226/500001) 
Ellen and Rackham: 

Here is my suggestion. It is very consistent with your recent proposal. My concern with your proposal of having 
the obtaining step before steps a), b), and c), is that the language in said steps would need to be amended to 
reflect the new step of "obtaining..." 

Dune 

Original Message 

From: Ellen Baker [mailto:Baker@oshaliang.com] 
Sent: Thursday, September 14, 2006 11:59 AM 
To: Ly, Cheyne 

Cc: Rackham K. Hoke; Ramona F. Hernandez 

Subject: 10/613660 Proposed claim amendments v3 (Our File: 03226/500001) 
Dune, 

Thank you again for taking the time to discuss this application with us. By way of this email, we are 
authorizing you, and any other entities at the USPTO, to communicate with us via email concerning this 
application. 

Attached is our proposed amendment to claim 1 (as well as the other claim amendments). As you will see, 
claim 1 now contains an "obtaining an updated tree structure" step similar to the one you agreed yesterday 
would be acceptable. The only difference is that the "obtaining" now encompasses former steps a, b, and 
c, rather than being limited to step c. 

We look forward to your response. 

Best regards, 

Ellen and Rackham 

Osha * Liang LLP 
www.oshalianq.com 

713-890-1794 



PRIVILEGED AND CONFIDENTIAL: This email is intended solely for the person or entity to which it is addressed and may contain confidential 
and/or privileged information. Copying, forwarding or distributing this message by persons or entities other than the addressee is prohibited. If 
you have received this email in error, please contact the sender immediately and delete the material from any computer. 
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PROPOSED CLAIM AMENDMENTS 
DRAFT - CLIENT APPROVAL NEEDED 

Version 3 

Please amend the claims as follows. 

1. (Currently Amended) A method of op e rating extending role scope in a directory server 
system comprising: 



a) associating an existing role entry in a tree structure with a first user entry in the 
tree structure, wherein a directory server interacts with entries in the tree 
structure, and wherein the existing role entry defines a role and has an associated 
scope in the tree structure based on the existing role entry's location in the tree 
structure according to a first predefined rule, said associating comprising 
attaching the role to the first user entry subject to a first condition comprising a 
role membership condition and the first user entry belonging to the associated 
scope[[;]] a 

b) adding an attribute to the existing role entry having a special attribute name and 
being associated with an attribute value defining [[an]] the extra scope in the tree 
structure for the existing role entry, wherein the attribute value identifies a 
designated location in the tree structure outside the existing role entry's 
associated scope, and further wherein the extra scope is based on the designated 
location according to a second predefined rule[[;]] , and 

c) attaching the role of the existing role entry to a second user entry subject to a 
second condition comprising said role membership condition and the second user 
entry belonging to the extra scope ; aed 

" responding to - iri # equest^^-^:^mi a ible operation associated with the updated tree 
structure, wherein the role op e ration id e ntifies that the second user entry 
poss e sses the rol e. 

d) obtaining the tree structure comprising the extra scope updated by steps a), b). and c); 
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e) performing a role operation associated with the updated tree structure, in response to a 
request wherein the performed role operation identifies that the second user entry 
possesses the role. 



2. (Previously Presented) The method of claim 1, wherein the existing role entry is a nested 
role entry defining at least one other role. 

3. (Previously Presented) The method of claim 2, wherein the existing role entry has an 
attribute defining the at least one other role. 

4. (Previously Presented) The method of claim 1, wherein the role membership condition 
comprises a candidate user entry having an attribute designating the role defined by the 
existing role entry. 

5. (Previously Presented) The method of claim 1, wherein the existing role entry has a role 
filter condition, and the role membership condition comprises one or more attributes of a 
candidate user entry meeting the role filter condition. 

6. (Original) The method of claim 5, wherein the existing role entry has an attribute designating 
the role filter condition. 

7. (Cancelled) 

8. (Cancelled) 

9. (Previously Presented) The method of claim 1, wherein the extra scope is defined as a 
subtree of the designated location. 

10. (Previously Presented) The method of claim 1, wherein the first predefined rule comprises 
defining the existing role entry's associated scope as a subtree of a parent of the existing role 
entry in the tree structure. 

11. (Previously Presented) The method of claim 1, furth e r comprising: wherein the request 
comprises 
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d) r e sponding to a request of whether a designated user entry has a given role [[by]] a 

and wherein responding to the request comprises : 

41) identifying a corresponding role entry corresponding to the given role; 

42) determining whether the designated user entry meets the first condition in 
relation to the corresponding role entry; 

43) if the designated user entry does not meet the first condition in relation to 
the corresponding role entry, determining whether the corresponding role 
entry has extra role data identifying [[an]] the extra scope; and 

44) if the corresponding role entry has extra role data, determining whether 
the designated user entry meets the second condition in relation to the 
corresponding role entry. 

12. (Previously Presented) The method of claim 1, furth e r comprising: wherein the request 
comprises 

d) r e sponding to a request for any user entries having a given role [[by]] , and 

wherein responding to the request comprises : 

4+) identifying a corresponding role entry corresponding to the given role; 

42) scanning the updated tree structure to identify any user entries meeting the 
first condition in relation to the corresponding role entry; and 

43) if the corresponding role entry has extra role data identifying [[an]] the 
extra scope, scanning the updated tree structure to identify any user entries 
meeting the second condition in relation to the corresponding role entry. 

13. (Previously Presented) The method of claim 1, further comprising wherein the request 
comprises : 

d) r es ponding to a request for roles of a given user entry [[by]] , and wherein 

responding to the request comprises : 

41) identifying a candidate role entry; 

42) determining whether the given user entry meets the first condition in 
relation to the candidate role entry; 

43) if the given user entry does not meet the first condition in relation to the 
candidate role entry and the candidate role entry has extra role data 
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identifying [[an]] the extra scope, determining whether the given user 
entry meets the second condition in relation to the candidate role entry; 
and 

d4) repeating said dl) through said d3) with other candidate role entries until 
an end condition is met. 

14. (Previously Presented) The method of claim 13, wherein the end condition comprises 
having performed said dl) through said d3) with substantially all the applicable candidate 
role entries. 

15. (Currently Amended) The method of claim 13, wherein the given user entry belongs to a 
subtree of a top suffix of the updated tree structure, said d2) is performed for each role entry 
belonging to the subtree of said top suffix, and said d3) is performed for each role entry 
belonging to any subtree of any top suffix of the updated tree structure. 

16. (Currently Amended) A directory server system comprising: 

a directory server that interacts int e racting with entries in a tree structure, said tree 
structure comprising an existing role entry and a first user entry, wherein the 
existing role entry defines a role and has an associated scope in the tree structure 
based on the existing role entry's location in the tree structure according to a first 
predefined rule; 

a role mechanism that attaches capabl e of attaching the existing role entry's role to the 
first user entry subject to a first condition comprising a role membership 
condition and the first user entry belonging to the associated scope^-a*^ 

wherein said role mechanism further attaches capabl e of attaching the existing role 
entry's role to a second user entry subject to a second condition comprising said 
role membership condition and the second user entry belonging to an extra scope 
identified by extra role data of the existing role entry, wherein the extra role data 
comprise an added attribute having a special attribute name and being associated 
with an attribute value identifying a designated location in the tree structure 
outside of the existing role entry's associated scope, and the extra scope is based 
on the designated location according to a second predefined rule. 
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17. (Previously Presented) The directory server system of claim 16, wherein the existing role 
entry is a nested role entry defining at least one other role. 

18. (Previously Presented) The directory server system of claim 17, wherein the existing role 
entry has an attribute defining the at least one other role. 

19. (Previously Presented) The directory server system of claim 16, wherein the role 
membership condition comprises a candidate user entry having an attribute designating the 
role defined by the existing role entry. 

20. (Previously Presented) The directory server system of claim 16, wherein the existing role 
entry has a role filter condition, and the role membership condition comprises one or more 
attributes of a candidate user entry meeting the role filter condition. 

21. (Original) The directory server system of claim 20, wherein the existing role entry has an 
attribute designating the role filter condition. 

22. (Cancelled) 

23. (Cancelled) 

24. (Previously Presented) The directory server system of claim 16, wherein the extra scope is 
defined as a subtree of the designated location. 

25. (Previously Presented) The directory server system of claim 16, wherein the first predefined 
rule comprises defining the existing role entry's associated scope as a subtree of a parent of 
the existing role entry in the tree structure. 

26. (Currently Amended) The directory server system of claim 16, wherein the role mechanism 
is furth e r capabl e of responding responds to a request of whether a designated user entry has 
a given role by: 

i) identifying a corresponding role entry corresponding to the given role; 

ii) determining whether the designated user entry meets the first condition in 
relation to the corresponding role entry; 
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iii) if the designated user entry does not meet the first condition in relation to the 
corresponding role entry, determining whether the corresponding role entry 
has extra role data defining [[an]] the extra scope; and 

iv) if the corresponding role entry has extra role data, determining whether the 
designated user entry meets the second condition in relation to the 
corresponding role entry. 

27. (Currently Amended) The directory server system of claim 16, wherein the role mechanism 
is furth e r capable of r e sponding responds to a request for any user entries having a given role 
by: 

i) identifying a corresponding role entry corresponding to the given role; 

ii) scanning the tree to identify any user entries meeting the first condition in relation 
to the corresponding role entry; and 

iii) if the corresponding role entry has extra data identifying [[an]] the extra scope, 
scanning the tree to identify any user entries meeting the second condition in 
relation to the corresponding role entry. 

28. (Currently Amended) The directory server system of claim 16, wherein the role mechanism 
is furth e r capable of r e sponding responds to a request for roles of a given user entry by: 

i) identifying a candidate role entry; 

ii) determining whether the given user entry meets the first condition in relation to 
the candidate role entry; 

iii) if the given user entry does not meet the first condition in relation to the candidate 
role entry and the determined role entry has extra data identifying [[an]] the extra 
scope, determining whether the given user entry meets the second condition in 
relation to the candidate role entry; and 

iv) repeating said i) through said iii) with other candidate roles entries until an end 
condition is met. 

29. (Previously Presented) The directory server system of claim 28, wherein the end condition 
comprises having performed said i) through said iii) with substantially all the applicable 
candidate role entries. 
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30. (Previously Presented) The directory server system of claim 28, wherein the given user 
entry belongs to a subtree of a top suffix of the tree structure, said ii) is performed for each 
role entry belonging to the subtree of said top suffix, and said iii) is performed for each role 
entry belonging to any subtree of any top suffix of the tree structure. 

31. (Currently Amended) A computer readable storage medium having stor e d th e r e on 
instructions comprising software code stored thereon for: 

a) associating an existing role entry in a tree structure with a first user entry in the 
tree structure, wherein a directory server interacts with entries in the tree 
structure, and wherein the existing role entry defines a role and has an associated 
scope in the tree structure based on the existing role entry's location in the tree 
structure according to a first predefined rule, said associating comprising 
attaching the role to the first user entry subject to a first condition comprising a 
role membership condition and the first user entry belonging to the associated 
scope; 

b) adding an attribute to the existing role entry having a special attribute name and 
being associated with an attribute value defining an extra scope in the tree 
structure for the existing role entry, wherein the attribute value identifies a 
designated location in the tree structure outside the existing role entry's 
associated scope, and further wherein the extra scope is based on the designated 
location according to a second predefined rule; and 

c) attaching the role of the existing role entry to a second user entry subject to a 
second condition comprising said role membership condition and the second user 
entry belonging to the extra scope. 

32. (Currently Amended) The computer readable storage medium of claim 31, wherein the 
existing role entry is a nested role entry defining at least one other role. 

33. (Currently Amended) The computer readable storage medium of claim 32, wherein the 
existing role entry has an attribute defining the at least one other role. 
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34. (Currently Amended) The computer readable storage medium of claim 31, wherein the role 
membership condition comprises a candidate user entry having an attribute designating the 
role defined by the existing role entry. 

35. (Currently Amended) The computer readable storage medium of claim 31, wherein the 
existing role entry has a role filter condition, and the role membership condition comprises 
one or more attributes of a candidate user entry meeting the role filter condition. 

36. (Currently Amended) The computer readable storage medium of claim 35, wherein the 
existing role entry has an attribute designating the role filter condition. 

37. (Cancelled) 

38. (Cancelled) 

39. (Currently Amended) The computer readable storage medium of claim 31, wherein the extra 
scope is defined as a subtree of the designated location. 

40. (Currently Amended) The computer readable storage medium of claim 31, wherein the first 
predefined rule comprises defining the existing role entry's associated scope as a subtree of a 
parent of the existing role entry in the tree structure. 

41. (Currently Amended) The computer readable storage medium of claim 31, further 
comprising instructions software code stored thereon for: 

d) responding to a request of whether a designated user entry has a given role by: 
d±) identifying a corresponding role entry corresponding to the given role; 
d3) determining whether the designated user entry meets the first condition in 

relation to the corresponding role entry; 
d3) if the designated user entry does not meet the first condition in relation to 

the corresponding role entry, determining whether the corresponding role 

entry has extra role data identifying [[an]] the extra scope; and 
d4) if the corresponding role entry has extra role data, determining whether 

the designated user entry meets the second condition in relation to the 

corresponding role entry. 
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42. (Currently Amended) The computer readable storage medium of claim 31, further 
comprising instructions software code stored thereon for: 

d) responding to a request for any user entries having a given role by: 

41) identifying a corresponding role entry corresponding to the given role; 
d2) scanning the tree to identify any user entries meeting the first condition in 

relation to the corresponding role entry; and 
43) if the corresponding role entry has extra role data identifying [[an]] the 
extra scope, scanning the tree to identify any user entries meeting the 
second condition in relation to the corresponding role entry. 

43. (Currently Amended) The computer readable storage medium of claim 31, further 
comprising instructions software code stored thereon for: 

4) responding to a request for roles of a given user entry by: 
44} identifying a candidate role entry; 

43) determining whether the given user entry meets the first condition in 
relation to the candidate role entry; 

43) if the given user entry does not meet the first condition in relation to the 
candidate role entry and the candidate role entry has extra role data 
identifying [[an]] the extra scope, determining whether the given user 
entry meets the second condition in relation to the candidate role entry; 
and 

d4) repeating said dl) through said d3) with other candidate role entries until 
an end condition is met. 

44. (Currently Amended) The computer readable storage medium of claim 43, wherein the end 
condition comprises having performed said dl) through said d3) with substantially all the 
applicable candidate role entries. 

45. (Currently Amended) The computer readable storage medium of claim 43, wherein the 
given user entry belongs to a subtree of a top suffix of the tree structure, said d2) is 
performed for each role entry belonging to the subtree of said top suffix, and said d3) is 
performed for each role entry belonging to any subtree of any top suffix of the tree structure. 
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Ly, Cheyne 

From: Ellen Baker [Baker@oshaliang.com] 
Sent: Thursday, September 14, 2006 11:59 AM 
To: Ly, Cheyne 

Cc: Rackham K. Hoke; Ramona F. Hernandez 

Subject: 10/613660 Proposed claim amendments v3 (Our File: 03226/500001) 
Dune, 

Thank you again for taking the time to discuss this application with us. By way of this email, we are authorizing 
you, and any other entities at the USPTO, to communicate with us via email concerning this application. 

Attached is our proposed amendment to claim 1 (as well as the other claim amendments). As you will see, claim 
1 now contains an "obtaining an updated tree structure" step similar to the one you agreed yesterday would be 
acceptable. The only difference is that the "obtaining" now encompasses former steps a, b, and c, rather than 
being limited to step c. 

We look forward to your response. 

Best regards, 

Ellen and Rackham 

Osha • Liang LLP 
www.oshalianq.com 

713-890-1794 

PRIVILEGED AND CONFIDENTIAL: This email is intended solely for the person or entity to which it is addressed and may contain confidential and/or 
privileged information. Copying, forwarding or distributing this message by persons or entities other than the addressee is prohibited. If you have 
received this email in error, please contact the sender immediately and delete the material from any computer. 
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PROPOSED CLAIM AMENDMENTS 
DRAFT - CLIENT APPROVAL NEEDED 

Version 3 

Please amend the claims as follows. 

1. (Currently Amended) A method of op e rating extending role scope in a directory server 
system comprising: 

obtaining an updated tree structure comprising an extra scope by: 

a) associating an existing role entry in a tree structure with a first user entry in the 
tree structure, wherein a directory server interacts with entries in the tree 
structure, and wherein the existing role entry defines a role and has an associated 
scope in the tree structure based on the existing role entry's location in the tree 
structure according to a first predefined rule, said associating comprising 
attaching the role to the first user entry subject to a first condition comprising a 
role membership condition and the first user entry belonging to the associated 
scope[[;]] a 

b) adding an attribute to the existing role entry having a special attribute name and 
being associated with an attribute value defining [[an]] the extra scope in the tree 
structure for the existing role entry, wherein the attribute value identifies a 
designated location in the tree structure outside the existing role entry's 
associated scope, and further wherein the extra scope is based on the designated 
location according to a second predefined rule[[;]] , and 

c) attaching the role of the existing role entry to a second user entry subject to a 
second condition comprising said role membership condition and the second user 
entry belonging to the extra scope ; and 

responding to a request to perform a role operation associated with the updated tree 
structure, wherein the role operation identifies that the second user entry 
possesses the role . 

2. (Previously Presented) The method of claim 1, wherein the existing role entry is a nested 
role entry defining at least one other role. 
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3. (Previously Presented) The method of claim 2, wherein the existing role entry has an 
attribute defining the at least one other role. 

4. (Previously Presented) The method of claim 1 5 wherein the role membership condition 
comprises a candidate user entry having an attribute designating the role defined by the 
existing role entry. 

5. (Previously Presented) The method of claim 1, wherein the existing role entry has a role 
filter condition, and the role membership condition comprises one or more attributes of a 
candidate user entry meeting the role filter condition. 

6. (Original) The method of claim 5, wherein the existing role entry has an attribute designating 
the role filter condition. 

7. (Cancelled) 

8. (Cancelled) 

9. (Previously Presented) The method of claim 1, wherein the extra scope is defined as a 
subtree of the designated location. 

10. (Previously Presented) The method of claim 1, wherein the first predefined rule comprises 
defining the existing role entry's associated scope as a subtree of a parent of the existing role 
entry in the tree structure. 

11. (Previously Presented) The method of claim 1, furth e r comprising: wherein the request 
comprises 

d) responding to a request of whether a designated user entry has a given role [[by]] A 

and wherein responding to the request comprises : 

d-t) identifying a corresponding role entry corresponding to the given role; 

d3) determining whether the designated user entry meets the first condition in 
relation to the corresponding role entry; 

e£) if the designated user entry does not meet the first condition in relation to 
the corresponding role entry, determining whether the corresponding role 
entry has extra role data identifying [[an]] the extra scope; and 
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d4) if the corresponding role entry has extra role data, determining whether 
the designated user entry meets the second condition in relation to the 
corresponding role entry. 

12. (Previously Presented) The method of claim 1, furth e r comprising: wherein the request 
comprises 

d) r e sponding to a request for any user entries having a given role [[by]] , and 

wherein responding to the request comprises : 

d4) identifying a corresponding role entry corresponding to the given role; 

d3) scanning the updated tree structure to identify any user entries meeting the 
first condition in relation to the corresponding role entry; and 

€&) if the corresponding role entry has extra role data identifying [[an]] the 
extra scope, scanning the updated tree structure to identify any user entries 
meeting the second condition in relation to the corresponding role entry. 

13. (Previously Presented) The method of claim 1, furth e r comprising wherein the request 
comprises : 

d) r e sponding to a request for roles of a given user entry frbyl L and wherein 

responding to the request comprises : 
€H-) identifying a candidate role entry; 

d3) determining whether the given user entry meets the first condition in 
relation to the candidate role entry; 

43) if the given user entry does not meet the first condition in relation to the 
candidate role entry and the candidate role entry has extra role data 
identifying [[an]] the extra scope, determining whether the given user 
entry meets the second condition in relation to the candidate role entry; 
and 

d4) repeating said dl) through said d3) with other candidate role entries until 
an end condition is met. 

14. (Previously Presented) The method of claim 13, wherein the end condition comprises 
having performed said dl) through said d3) with substantially all the applicable candidate 
role entries. 
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15. (Currently Amended) The method of claim 13, wherein the given user entry belongs to a 
subtree of a top suffix of the updated tree structure, said d2) is performed for each role entry 
belonging to the subtree of said top suffix, and said d3) is performed for each role entry 
belonging to any subtree of any top suffix of the updated tree structure. 

16. (Currently Amended) A directory server system comprising: 

a directory server that interacts int e racting with entries in a tree structure, said tree 
structure comprising an existing role entry and a first user entry, wherein the 
existing role entry defines a role and has an associated scope in the tree structure 
based on the existing role entry's location in the tree structure according to a first 
predefined rule; 

a role mechanism that attaches capable of attaching the existing role entry's role to the 
first user entry subject to a first condition comprising a role membership 
condition and the first user entry belonging to the associated scope^-and^ 

wherein said role mechanism further attaches capabl e of attaching the existing role 
entry's role to a second user entry subject to a second condition comprising said 
role membership condition and the second user entry belonging to an extra scope 
identified by extra role data of the existing role entry, wherein the extra role data 
comprise an added attribute having a special attribute name and being associated 
with an attribute value identifying a designated location in the tree structure 
outside of the existing role entry's associated scope, and the extra scope is based 
on the designated location according to a second predefined rule. 

17. (Previously Presented) The directory server system of claim 16, wherein the existing role 
entry is a nested role entry defining at least one other role. 

18. (Previously Presented) The directory server system of claim 17, wherein the existing role 
entry has an attribute defining the at least one other role. 

19. (Previously Presented) The directory server system of claim 16, wherein the role 
membership condition comprises a candidate user entry having an attribute designating the 
role defined by the existing role entry. 
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20. (Previously Presented) The directory server system of claim 16, wherein the existing role 
entry has a role filter condition, and the role membership condition comprises one or more 
attributes of a candidate user entry meeting the role filter condition. 

21. (Original) The directory server system of claim 20, wherein the existing role entry has an 
attribute designating the role filter condition. 

22. (Cancelled) 

23. (Cancelled) 

24. (Previously Presented) The directory server system of claim 16, wherein the extra scope is 
defined as a subtree of the designated location. 

25. (Previously Presented) The directory server system of claim 16, wherein the first predefined 
rule comprises defining the existing role entry's associated scope as a subtree of a parent of 
the existing role entry in the tree structure. 

26. (Currently Amended) The directory server system of claim 16, wherein the role mechanism 
is further capabl e of r e sponding responds to a request of whether a designated user entry has 
a given role by: 

i) identifying a corresponding role entry corresponding to the given role; 

ii) determining whether the designated user entry meets the first condition in 
relation to the corresponding role entry; 

iii) if the designated user entry does not meet the first condition in relation to the 
corresponding role entry, determining whether the corresponding role entry 
has extra role data defining [[an]] the extra scope; and 

iv) if the corresponding role entry has extra role data, determining whether the 
designated user entry meets the second condition in relation to the 
corresponding role entry. 

27. (Currently Amended) The directory server system of claim 16, wherein the role mechanism 
is further capable of r e sponding responds to a request for any user entries having a given role 
by: 

i) identifying a corresponding role entry corresponding to the given role; 
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ii) scanning the tree to identify any user entries meeting the first condition in relation 
to the corresponding role entry; and 

iii) if the corresponding role entry has extra data identifying [[an]] the extra scope, 
scanning the tree to identify any user entries meeting the second condition in 
relation to the corresponding role entry. 

28. (Currently Amended) The directory server system of claim 16, wherein the role mechanism 
is furth e r capable of r e sponding responds to a request for roles of a given user entry by: 

i) identifying a candidate role entry; 

ii) determining whether the given user entry meets the first condition in relation to 
the candidate role entry; 

iii) if the given user entry does not meet the first condition in relation to the candidate 
role entry and the determined role entry has extra data identifying [[an]] the extra 
scope, determining whether the given user entry meets the second condition in 
relation to the candidate role entry; and 

iv) repeating said i) through said iii) with other candidate roles entries until an end 
condition is met. 

29. (Previously Presented) The directory server system of claim 28, wherein the end condition 
comprises having performed said i) through said iii) with substantially all the applicable 
candidate role entries. 

30. (Previously Presented) The directory server system of claim 28, wherein the given user 
entry belongs to a subtree of a top suffix of the tree structure, said ii) is performed for each 
role entry belonging to the subtree of said top suffix, and said iii) is performed for each role 
entry belonging to any subtree of any top suffix of the tree structure. 

31. (Currently Amended) A computer readable storage medium having stor e d th e r e on 
instructions comprising software code stored thereon for: 

a) associating an existing role entry in a tree structure with a first user entry in the 
tree structure, wherein a directory server interacts with entries in the tree 
structure, and wherein the existing role entry defines a role and has an associated 
scope in the tree structure based on the existing role entry's location in the tree 
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structure according to a first predefined rule, said associating comprising 
attaching the role to the first user entry subject to a first condition comprising a 
role membership condition and the first user entry belonging to the associated 
scope; 

b) adding an attribute to the existing role entry having a special attribute name and 
being associated with an attribute value defining an extra scope in the tree 
structure for the existing role entry, wherein the attribute value identifies a 
designated location in the tree structure outside the existing role entry's 
associated scope, and further wherein the extra scope is based on the designated 
location according to a second predefined rule; and 

c) attaching the role of the existing role entry to a second user entry subject to a 
second condition comprising said role membership condition and the second user 
entry belonging to the extra scope. 

32. (Currently Amended) The computer readable storage medium of claim 31, wherein the 
existing role entry is a nested role entry defining at least one other role. 

33. (Currently Amended) The computer readable storage medium of claim 32, wherein the 
existing role entry has an attribute defining the at least one other role. 

34. (Currently Amended) The computer readable storage medium of claim 3 1 , wherein the role 
membership condition comprises a candidate user entry having an attribute designating the 
role defined by the existing role entry. 

35. (Currently Amended) The computer readable storage medium of claim 31, wherein the 
existing role entry has a role filter condition, and the role membership condition comprises 
one or more attributes of a candidate user entry meeting the role filter condition. 

36. (Currently Amended) The computer readable storage medium of claim 35, wherein the 
existing role entry has an attribute designating the role filter condition. 

37. (Cancelled) 

38. (Cancelled) 
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39. (Currently Amended) The computer readable storage medium of claim 31, wherein the extra 
scope is defined as a subtree of the designated location. 

40. (Currently Amended) The computer readable storage medium of claim 31, wherein the first 
predefined rule comprises defining the existing role entry's associated scope as a subtree of a 
parent of the existing role entry in the tree structure. 

41. (Currently Amended) The computer readable storage medium of claim 31, further 
comprising instructions software code stored thereon for: 

4) responding to a request of whether a designated user entry has a given role by: 
44-) identifying a corresponding role entry corresponding to the given role; 

42) determining whether the designated user entry meets the first condition in 
relation to the corresponding role entry; 

45) if the designated user entry does not meet the first condition in relation to 
the corresponding role entry, determining whether the corresponding role 
entry has extra role data identifying [[an]] the extra scope; and 

44) if the corresponding role entry has extra role data, determining whether 
the designated user entry meets the second condition in relation to the 
corresponding role entry. 

42. (Currently Amended) The computer readable storage medium of claim 31, further 
comprising instructions software code stored thereon for: 

4) responding to a request for any user entries having a given role by: 

eH-) identifying a corresponding role entry corresponding to the given role; 

43) scanning the tree to identify any user entries meeting the first condition in 
relation to the corresponding role entry; and 

45) if the corresponding role entry has extra role data identifying [[an]] the 
extra scope, scanning the tree to identify any user entries meeting the 
second condition in relation to the corresponding role entry. 

43. (Currently Amended) The computer readable storage medium of claim 31, further 
comprising instructions software code stored thereon for: 

4) responding to a request for roles of a given user entry by: 
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d-1-) identifying a candidate role entry; 

d2) determining whether the given user entry meets the first condition in 
relation to the candidate role entry; 

d3) if the given user entry does not meet the first condition in relation to the 
candidate role entry and the candidate role entry has extra role data 
identifying [[an]] the extra scope, determining whether the given user 
entry meets the second condition in relation to the candidate role entry; 
and 

d4) repeating said dl) through said d3) with other candidate role entries until 
an end condition is met. 

44. (Currently Amended) The computer readable storage medium of claim 43 , wherein the end 
condition comprises having performed said dl) through said d3) with substantially all the 
applicable candidate role entries. 

45. (Currently Amended) The computer readable storage medium of claim 43, wherein the 
given user entry belongs to a subtree of a top suffix of the tree structure, said d2) is 
performed for each role entry belonging to the subtree of said top suffix, and said d3) is 
performed for each role entry belonging to any subtree of any top suffix of the tree structure. 
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REMARKS 

Please reconsider this application in view of the above amendments and the 
following remarks. The Applicant thanks the Examiner for carefully considering this application 
and for indicating that the claims of record would be allowable if the rejections under 35 U.S.C. 
§ 1 12 are overcome (see Office Action dated June 27, 2006, page 4). 

Examiner Interview 

The Applicant thanks the Examiner for the courtesies extended during the 
Examiner Interview conducted on August 14, 2006. The Applicant has reviewed the Examiner's 
interview summary and has no additional comments at this point in the prosecution. 

Disposition of Claims 

Claims 1-6, 9-21, 24-36, and 39-45 are pending in the application. Claims 1, 16, 
and 31 are independent. The remaining claims depend, directly or indirectly, from independent 
claims 1, 16, and 31. 

Claim Amendments 

By way of this reply, claims 1, 10, 16, 25, 31, and 40 have been amended to 
clarify antecedent basis issues. Specifically, the claims have been amended to clarify that the 
predefined rule referred to in claims 10, 25, and 40 corresponds to a first predefined rule. 
Further, by way of this reply, claim 16 has been amended to correct a typographical error. 
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Priority Document 

The Applicant has recently discovered that a certified copy of the French priority 
document for this application has not been forwarded to date. This failure to submit the priority 
document was inadvertent and unintentional. A copy of the certified priority document is being 
filed contemporaneously with this response. 

Rejections under 35 U.S.C. § 112 f 2 

Claims 10, 25, and 40 stand rejected under 35 U.S.C. § 112 U 2 as being 
indefinite. Specifically, the Examiner has asserted that claims 10, 25, and 40 lack sufficient 
antecedent basis for 'the predefined rule" recited in the claims (see Office Action dated June 27, 
2006, page 2). By way of this reply, claims 1, 10, 16, 25, 31, and 40 have been amended to 
clarify that the predefined rule referred to in claims 10, 25, and 40 corresponds to a first 
predefined rule. In view of these amendments, the Applicant respectfully submits that amended 
claims 10, 25, and 40 are not indefinite. Accordingly, withdrawal of this rejection is respectfully 
requested. 

Rejections under 35 U.S.C. § 112 If 1 

Claims 1-6, 9-21, 24-36, and 39-45 stand rejected under 35 U.S.C. § 112 H 1 as 
failing to comply with the written description requirement. Specifically, the Examiner has 
asserted that the disclosure does not provide written basis for "a first user entry in the tree 
structure" and "a second user entry ... the second user entry belonging to the extra scope" as 
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recited in independent claims 1, 16, and 31 (see Office Action date June 27, 2006, pages 3-4). 
This rejection is respectfully traversed. Specifically, written basis for the limitations in question 
can be found in the Specification as published, as described below. 

1. A first user entry in the tree structure 

As described in the Specification, a role entry typically has an associated scope 
based on the role entry's location in the tree structure (see t e.g., Figure 6, where the scope of a 
role entry is a subtree of the role entry's parent entry). Further, user entries belonging to the 
associated scope may be members of the role subject to a role membership condition. For 
example, members of a managed role must have an attribute designating the role defined in the 
role entry (e.g., a distinguished name (DN) attribute corresponding to the DN of the role entry); 
members of a filtered role must match a filter specified in the role entry; and members of a 
nested role must meet the role condition(s) for at least one of the roles referenced by the role 
entry (see, e.g., page 18, line 18 - page 21, line 10 of the Specification). Thus, the "first user 
entry" recited in the claims is a user entry that belongs to a role's scope and meets the 
appropriate role membership condition, as clearly supported by the Specification. 

2. a second user entry... the second user entry belonging to the extra scope 

As described in the Specification, an extra scope may be defined for a role entry 
by adding an attribute to the role entry that defines the extra scope (see t e.g., page 23, lines 4-15 
of the Specification). Figure 14 shows one example of an extended role, where an 
nsRoleScopeDN attribute is added to the cn = everybody _cross2 role entry to extend the role's 
scope to include the subtree of o = suffix2 (see also page 32, line 15 - page 34, line 7). Further, 
user entries belonging to the extra scope may be members of the extended role subject to a role 
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membership condition, as described above (see also page 25, lines 4-9 of the Specification). 
Thus, the "second user entry" recited in the claims is a user entry that belongs to the extra scope 
and meets the appropriate role membership condition, as clearly supported by the Specification. 

In view of the above, the Specification clearly provides written basis for "a first 
user entry in the tree structure" and "a second user entry ... the second user entry belonging to 
the extra scope" as recited in independent claims 1, 16, and 31. Accordingly, withdrawal of this 
rejection is respectfully requested. 



Conclusion 

The Applicant believes this reply is fully responsive to all outstanding issues and 
places this application in condition for allowance. If this belief is incorrect, or other issues arise, 
the Examiner is encouraged to contact the undersigned or his associates at the telephone number 
listed below. Please apply any charges not covered, or any credits, to Deposit Account 50-0591 
(Reference Number 03226/500001 ; P7528). 

Dated: August 28, 2006 Respectfully submitted, 




1221 McKinney St., Suite 2800 
Houston, Texas 77010 
(713) 228-8600 
(713) 228-8778 (Fax) 
Attorney for Applicant 
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PROPOSED CLAIM AMENDMENTS 
DRAFT - CLIENT APPROVAL NEEDED 




Please amend the claims as follows. 

1. (Currently Amended) A method of operating extending role scone in a directory server 
system comprising: 



tree structure, wherein a directory server interacts with entries in the tree 
structure, and wherein the existing role entry defines a role and has an associated 



structure according to a first predefined rule, said associating comprising 
attaching the role to the first user entry subject to a first condition comprising a 
role membership condition and the first user entry belonging to the associated 
scope; 

b) adding an attribute to the existing role entry having a specia.. attribute name and 
being associated with an attribute value defining an extra scope in the tree 
structure for the existing role entry, wherein the attribute value identifies a 
designated location in the tree structure outside the existing role entry's 
associated scope, and further wherein the extra scope is based on the designated 
location according to a second predefined rule; and 

c) attaching the role of the existing role entry to a second user entry subject to a 
second condition comprising said role membership condition and the second user 
entry belonging to the extra scop e, to obtain an updated tree structure comprising 
an extended role scope . 



2. (Previously Presented) The method of claim 1 , wherein the existing role entry is a nested role 
entry defining at least one other role. 

3. (Previously Presented) The method of claim 2, wherein the existing role entry has an 
attribute defining the at least one other role. 



a) 



associating an existing role entry in a tree structure with a first user entry in the 



scope in the tree structure based on the existing role entry's location in the tree 



1 



PAGE 1/9 * RCVD AT 9/13/2006 3:12:41 PM pastern Daylight Time] * SVR:USPT0-EFXRF-5/1 7 * DNIS:273071 6 1 CSfD:7132288778 * DURATION (mm-ss):0142 



09/13/2006 14:15 FAX 7132288778 



0SHA_LIANG_LLP 



(2 002/009 



Application No.: 10/613,660 Docket No.: 03226/500001; P7528 

4. (Previously Presented) The method of claim 1, wherein the role membership condition 
comprises a candidate user entry having an attribute designating the role defined by the 
existing role entry. 

5. (Previously Presented) The method of claim 1, wherein the existing role entry has a role 
filter condition, and the role membership condition comprises one or more attributes of a 
candidate user entry meeting the role filter condition. 

6. (Original) The method of claim 5, wherein the existing role entry has an attribute designating 
the role filter condition. 

7. (Cancelled) 

8. (Cancelled) 

9. (Previously Presented) The method of claim 1, wherein the extra scope is defined as a 
subtree of the designated location. 

10. (Previously Presented) The method of claim 1, wherein the first predenned rule comprises 
defining the existing role entry's associated scope as a subtree of a parent of the existing role 
entry in the tree structure. 

1 1 . (Previously Presented) The method of claim 1, further comprising: 

d) responding to a request of whether a designated user entry ha* a given role by: 
dl) identifying a corresponding role entry corresponding to the given role; 
d2) determining whether the designated user entry meets the first condition in 

relation to the corresponding role entry; 
d3) if the designated user entry does not meet the first condition in relation to 

the corresponding role entry, determining whether the corresponding role 

entry has extra role data identifying an extra scope; and 
d4) if the corresponding role entry has extra role data, determining whether 

the designated user entry meets the second condition in relation to the 

corresponding role entry. 
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12. (Previously Presented) The method of claim 1, further comprising: 

d) responding to a request for any user entries having a given role by: 

dl) identifying a corresponding role entry corresponding to the given role; 
d2) scanning the tree to identify any user entries meeting the first condition in 

relation to the corresponding role entry; and 
d3) if the corresponding role entry has extra role data identifying an extra 

scope, scanning the tree to identify any user entries meeting the second 

condition in relation to the corresponding role entry. 

13. (Previously Presented) The method of claim 1, further comprising: 

d) responding to a request for roles of a given user entry by: 
dl) identifying a candidate role entry; 

d2) determining whether the given user entry meets the first condition in 
relation to the candidate role entry; 

d3) if the given user entry does not meet the first condition in relation to the 
candidate role entry and the candidate role entry has extra role data 
identifying an extra scope, determining whether the given user entry 
meets the second condition in relation to the candidate role entry; and 

d4) repeating said dl) through said d3) with other candidate role entries until 
an end condition is met. 

14. (Previously Presented) The method of claim 13, wherein the end <;ondition comprises 
having performed said dl) through said d3) with substantially all the applicable candidate 
role entries. 

15. (Previously Presented) The method of claim 13, wherein the given user entry belongs to a 
subtree of a top suffix of the tree structure, said d2) is performed for each role entry 
belonging to the subtree of said top suffix, and said d3) is performed for each role entry 
belonging to any subtree of any top suffix of the tree structure. 
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16. (Currently Amended) A directory server system comprising: 

a directory server configured to interacting]] with entries in a tree structure, said tree 
structure comprising an existing role entry and a first user entry, wherein the 
existing role entry defines a role and has an associated scope in the tree structure 
based on the existing role entry's location in the tree structure according to a first 
predefined rule; 

a role mechanism capabl e of configured to attach[[ing]] the existing role entry's role to 
the first user entry subject to a first condition comprising a role membership 
condition and the first user entry belonging to the associated scope; and 

said role mechanism further capable) of configured to attach[[ing]] the existing role 
entry's role to a second user entry subject to a second condition comprising said 
role membership condition and the second user entry belonging to an extra scope 
identified by extra role data of the existing role entry, wherein the extra role data 
comprise an added attribute having a special attribute name and being associated 
with an attribute value identifying a designated location in the tree structure 
outside of the existing role entry's associated scope, and the extra scope is based 
on the designated location according to a second predefined rule. 

17. (Previously Presented) The directory server system of claim 16, wherein the existing role 
entry is a nested role entry defining at least one other role. 

18. (Previously Presented) The directory server system of claim 17, wherein the existing role 
entry has an attribute defining the at least one other role. 

19. (Previously Presented) The directory server system of claim 16, wherein the role 
membership condition comprises a candidate user entry having an attribute designating the 
role defined by the existing role entry. 

20. (Previously Presented) The directory server system of claim 16, wherein the existing role 
entry has a role filter condition, and the role membership condition comprises one or more 
attributes of a candidate user entry meeting the role filter condition. 
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21. (Original) The directory server system of claim 20, wherein the existing role entry has an 
attribute designating the role filter condition. 

22. (Cancelled) 

23. (Cancelled) 

24. (Previously Presented) The directory server system of claim 16, wherein the extra scope is 
defined as a subtree of the designated location, 

25. (Previously Presented) The directory server system of claim 16, wherein the first predefined 
rule comprises defining the existing role entry's associated scope as a subtree of a parent of 
the existing role entry in the tree structure. 

26. (Currently Amended) The directory server system of claim 16, wherein the role mechanism 
is further oapablo of configured to responding]] to a request of whethsr a designated user 
entry has a given role by: 

i) identifying a corresponding role entry corresponding to ths given role; 

ii) determining whether the designated user entry meets the first condition in 
relation to the corresponding role entry; 

iii) if the designated user entry does not meet the first condition in relation to the 
corresponding role entry, determining whether the corresponding role entry 
has extra role data defining an extra scope; and 

iv) if the corresponding role entry has extra role data, determining whether the 
designated user entry meets the second condition in relation to the 
corresponding role entry. 

27. (Currently Amended) The directory server system of claim 16, wherein the role mechanism 
is further capabl e of configured to respond[[ing]] to a request for any user entries having a 
given role by: 

i) identifying a corresponding role entry corresponding to the given role; 

ii) scanning the tree to identify any user entries meeting the first condition in relation 
to the corresponding role entry; and 
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iii) if the corresponding role entry has extra data identifying an extra scope, scanning 
the tree to identify any user entries meeting the second condition in relation to the 
corresponding role entry. 

28. (Currently Amended) The directory server system of claim 16, wherein the role mechanism 
is further capable) of configured to respond[[ing]] to a request for roles of a given user entry 

by: 

i) identifying a candidate role entry; 

ii) determining whether the given user entry meets the first condition in relation to 
the candidate role entry; 

iii) if the given user entry does not meet the first condition in relation to the candidate 
role entry and the determined role entry has extra data identifying an extra scope, 
determining whether the given user entry meets the second condition in relation 
to the candidate role entry; and 

iv) repeating said i) through said iii) with other candidate roles entries until an end 
condition is met. 

29. (Previously Presented) The directory server system of claim 28, wherein the end condition 
comprises having performed said i) through said iii) with substantially all the applicable 
candidate role entries. 

30. (Previously Presented) The directory server system of claim 28, wherein the given user 
entry belongs to a subtree of a top suffix of the tree structure, said ii) is; performed for each 
role entry belonging to the subtree of said top suffix, and said iii) is performed for each role 
entry belonging to any subtree of any top suffix of the tree structure. 

31. (Currently Amended) A computer readable medium having otorod thoroon inqtruotionQ 
comprising software code stored thereon for: 

a) associating an existing role entry in a tree structure with a first user entry in the 
tree structure, wherein a directory server interacts with entries in the tree 
structure, and wherein the existing role entry defines a role and has an associated 
scope in the tree structure based on the existing role entry's location in the tree 
structure according to a first predefined rule, said associating comprising 
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attaching the role to the first user entry subject to a first condition comprising a 
role membership condition and the first user entry belonging to the associated 
scope; 

b) adding an attribute to the existing role entry having a special attribute name and 
being associated with an attribute value defining an extra scope in the tree 
structure for the existing role entry, wherein the attribute value identifies a 
designated location in the tree structure outside the existing role entry's 
associated scope, and further wherein the extra scope is based on the designated 
location according to a second predefined rule; and 

c) attaching the role of the existing role entry to a second user entry subject to a 
second condition comprising said role membership condition and the second user 
entry belonging to the extra scope. 

32. (Previously Presented) The computer readable medium of claim 31, wherein the existing 
role entry is a nested role entry defining at least one other role. 

33. (Previously Presented) The computer readable medium of claim 32, wherein the existing 
role entry has an attribute defining the at least one other role. 

34. (Previously Presented) The computer readable medium of claim 31, wherein the role 
membership condition comprises a candidate user entry having an attribute designating the 
role defined by the existing role entry. 

35. (Previously Presented) The computer readable medium of claim 31, wherein the existing 
role entry has a role filter condition, and the role membership condition comprises one or 
more attributes of a candidate user entry meeting the role filter condition. 

36. (Original) The computer readable medium of claim 35, wherein the existing role entry has 
an attribute designating the role filter condition. 

37. (Cancelled) 

38. (Cancelled) 

7 
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39. (Previously Presented) The computer readable medium of claim 31, wherein the extra scope 
is defined as a subtree of the designated location, 

40. (Previously Presented) The computer readable medium of claim 31, wherein the first 
predefined rule comprises defining the existing role entry's associated scope as a subtree of a 
parent of the existing role entry in the tree structure. 

41. (Currently Amended) The computer readable medium of claim 31, further comprising 
instructions software cod e stored thereon for: 

d) responding to a request of whether a designated user entry has a given role by: 
dl) identifying a corresponding role entry corresponding to the given role; 
d2) determining whether the designated user entry meets the first condition in 

relation to the corresponding role entry; 
d3) if the designated user entry does not meet the first condition in relation to 

the corresponding role entry, determining whether the corresponding role 

entry has extra role data identifying an extra scope; and 
d4) if the corresponding role entry has extra role data, determining whether 

the designated user entry meets the second condition in relation to the 

corresponding role entry. 

42. (Currently Amended) The computer readable medium of claim 31, further comprising 
instructions software code stored thereon for: 

d) responding to a request for any user entries having a given role by: 

dl) identifying a corresponding role entry corresponding to the given role; 
d2) scanning the tree to identify any user entries meeting the first condition in 

relation to the corresponding role entry; and 
d3) if the corresponding role entry has extra role data identifying an extra 
scope, scanning the tree to identify any user entries meeting the second 
condition in relation to the corresponding role entry. 

43. (Currently Amended) The computer readable medium of claim 31. further comprising 
inotruotiono software code stored thereon for: 

d) responding to a request for roles of a given user entry by: 

8 
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d 1 ) identifying a candidate role entry, 

d2) determining whether the given user entry meets the first condition in 
relation to the candidate role entry; 

d3) if the given user entry does not meet the first condition in relation to the 
candidate role entry and the candidate role entry lias extra role data 
identifying an extra scope, determining whether the given user entry 
meets the second condition in relation to the candidate role entry; and 

d4) repeating said dl) through said d3) with other candidate role entries until 
an end condition is met. 

44. (Previously Presented) The computer readable medium of claim 43, wherein the end 
condition comprises having performed said dl) through said d3) with substantially all the 
applicable candidate role entries. 

45. (Previously Presented) The computer readable medium of claim 43, wherein the given user 
entry belongs to a subtree of a top suffix of the tree structure, said d2) is performed for each 
role entry belonging to the subtree of said top suffix, and said d3) is performed for each role 
entry belonging to any subtree of any top suffix of the tree structure. 
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PROPOSED CLAIM AMENDMENTS 
DRAFT - CLIENT APPROVAL NEEDED 

Version 2 

Dear Examiner, 

After further consideration, we realized that our initially proposed amendment to claim 1, 
"to obtain an updated tree structure comprising an extended role scope" and the subsequently 
discussed amendment, "obtaining an updated tree structure by attaching . . do not properly 
reflect the scope of our claimed invention. We are instead proposing the added step shown 
below which we believe addresses your concerns. We have also made appropriate 
corresponding amendments to claims 11-13. We look forward to speaking with you and 
discussing this proposed amendment. 

Best regards, 

Ellen Baker and Rackham Hoke 
Please amend the claims as follows. 

1. (Currently Amended) A method of op e rating extending role scope in a directory server 
system comprising: 

a) associating an existing role entry in a tree structure with a first user entry in the 
tree structure, wherein a directory server interacts with entries in the tree 
structure, and wherein the existing role entry defines a role and has an associated 
scope in the tree structure based on the existing role entry's location in the tree 
structure according to a first predefined rule, said associating comprising 
attaching the role to the first user entry subject to a first condition comprising a 
role membership condition and the first user entry belonging to the associated 
scope; 

b) adding an attribute to the existing role entry having a special attribute name and 
being associated with an attribute value defining an extra scope in the tree 
structure for the existing role entry, wherein the attribute value identifies a 
designated location in the tree structure outside the existing role entry's 
associated scope, and further wherein the extra scope is based on the designated 
location according to a second predefined rule; [[and]] 

1 
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c) attaching the role of the existing role entry to a second user entry subject to a 

second condition comprising said role membership conditior. and the second user 

entry belonging to the extra scop e: and 
£ft responding to a request to perform a role operation associated with the tree 

structure, wherein the role operation identifies that the second user entry 

possesses the role . 

2. (Previously Presented) The method of claim 1, wherein the existing rDle entry is a nested 
role entry defining at least one other role. 

3. (Previously Presented) The method of claim 2, wherein the existing role entry has an 
attribute defining the at least one other role. 

4. (Previously Presented) The method of claim 1, wherein the role membership condition 
comprises a candidate user entry having an attribute designating the role defined by the 
existing role entry. 

5. (Previously Presented) The method of claim 1, wherein the existing iole entry has a role 
filter condition, and the role membership condition comprises one or more attributes of a 
candidate user entry meeting the role filter condition. 

6. (Original) The method of claim 5, wherein the existing role entry has an attribute designating 
the role filter condition. 

7. (Cancelled) 

8. (Cancelled) 

9. (Previously Presented) The method of claim 1, wherein the extra scope is defined as a 
subtree of the designated location. 

10. (Previously Presented) The method of claim 1, wherein the first predefined rule comprises 
defining the existing role entry's associated scope as a subtree of a parent of the existing role 
entry in the tree structure. 
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U. (Previously Presented) The method of claim 1, further oomprioing: wherein the request 
comprises 

d) rooponding to a request of whether a designated user entry has a given role [[by]L 
and wherein responding to the request comprises : 

dl) identifying a corresponding role entry corresponding lo the given role; 
d2) determining whether the designated user entry meets the first condition in 

relation to the corresponding role entry; 
d3) if the designated user entry does not meet the first condition in relation to 

the corresponding role entry, determining whether ths corresponding role 

entry has extra role data identifying an extra scope; and 
d4) if the corresponding role entry has extra role data, determining whether 

the designated user entry meets the second condition in relation to the 

corresponding role entry. 

12. (Previously Presented) The method of claim 1, further comprising: wherein the request 
comprises 

rooponding -te a request for any user entries having a given role frbvl l. and 

wherein responding to the request comprises : 

dl ) identifying a corresponding role entry corresponding to the given role; 

<J2) scanning the tree to identify any user entries meeting the first condition in 
relation to the corresponding role entry; and 

d3) if the corresponding role entry has extra role data identifying an extra 
scope, scanning the tree to identify any user entries meeting the second 
condition in relation to the corresponding role entry. 

13. (Previously Presented) The method of claim 1, further comprising wherein the request 
comprises : 

d) r e sponding to a request for roles of a given user entry ITbvT L and wherein 

responding to the request comprises : 
d 1 ) identifying a candidate role entry; 

d2) determining whether the given user entry meets the first condition in 
relation to the candidate role entry. 
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d3) if the given user entry does not meet the first condition in relation to the 
candidate role entry and the candidate role entry has extra role data 
identifying an extra scope, determining whether the given user entry 
meets the second condition in relation to the candidate role entry; and 

d4) repeating said dl) through said d3) with other candidate role entries until 
an end condition is met 

14. (Previously Presented) The method of claim 13, wherein the end condition comprises 
having performed said dl) through said d3) with substantially all the applicable candidate 
role entries. 

15. (Previously Presented) The method of claim 13, wherein the given user entry belongs to a 
subtree of a top suffix of the tree structure, said d2) is performed for each role entry 
belonging to the subtree of said top suffix, and said d3) is performec. for each role entry 
belonging to any subtree of any top suffix of the tree structure. 

16. (Currently Amended) A directory server system comprising: 

a directory server that interacts interacting with entries in a tree structure, said tree 
structure comprising an existing role entry and a first user entry, wherein the 
existing role entry defines a role and has an associated scope in the tree structure 
based on the existing role entry's location in the tree structure according to a first 
predefined rule; 

a role mechanism that attaches oapablo of attaching the existing role entry's role to the 
first user entry subject to a first condition comprising a role membership 
condition and the first user entry belonging to the associated scope^-aft^ 

wherein said role mechanism further attaches capable of attaching the existing role 
entry's role to a second user entry subject to a second condition comprising said 
role membership condition and the second user entry belonging to an extra scope 
identified by extra role data of the existing role entry, wherein the extra role data 
comprise an added attribute having a special attribute name and being associated 
with an attribute value identifying a designated location in the tree structure 
outside of the existing role entry's associated scope, and the extra scope is based 
on the designated location according to a second predefined role. 

4 
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17. (Previously Presented) The directory server system of claim 16, wherein the existing role 
entry is a nested role entry defining at least one other role. 

18. (Previously Presented) The directory server system of claim 17, wherein the existing role 
entry has an attribute defining the at least one other role. 

19. (Previously Presented) The directory server system of claim 16, wherein the role 
membership condition comprises a candidate user entry having an attribute designating the 
role defined by the existing role entry. 

20. (Previously Presented) The directory server system of claim 16, wherein the existing role 
entry has a role filter condition, and the role membership condition comprises one or more 
attributes of a candidate user entry meeting the role filter condition. 

21. (Original) The directory server system of claim 20, wherein the existing role entry has an 
attribute designating the role filter condition. 

22. (Cancelled) 

23. (Cancelled) 

24. (Previously Presented) The directory server system of claim 16, wherein the extra scope is 
defined as a subtree of the designated location. 

25. (Previously Presented) The directory server system of claim 16, wherein the first predefined 
rule comprises defining the existing role entry's associated scope as a subtree of a parent of 
the existing role entry in the tree structure. 

26. (Currently Amended) The directory server system of claim 16, wherein the role mechanism 
is further capabl e of responding responds to a request of whether a designated user entry has 
a given role by: 

i) identifying a corresponding role entry corresponding to the given role; 

ii) determining whether the designated user entry meets the first condition in 
relation to the corresponding role entry; 

5 
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iii) if the designated user entry does not meet the first condition in relation to the 
corresponding role entry, determining whether the corresponding role entry 
has extra role data defining an extra scope; and 

iv) if the corresponding role entry has extra role data, determining whether the 
designated user entry meets the second condition in relation to the 
corresponding role entry. 

27. (Currently Amended) The directory server system of claim 16, wherein the role mechanism 
i s farther capabl e of r es ponding responds to a request for any user entries having a given role 

by: 

i) identifying a corresponding role entry corresponding to the given role; 

ii) scanning the tree to identify any user entries meeting the first condition in relation 
to the corresponding role entry; and 

iii) if the corresponding role entry has extra data identifying an extra scope, scanning 
the tree to identify any user entries meeting the second condition in relation to the 
corresponding role entry, 

28. (Currendy Amended) The directory server system of claim 16, wherein the role mechanism 
io furth e r capabl e of responding responds to a request for roles of a given user entry by: 

i) identifying a candidate role entry; 

ii) determining whether the given user entry meets the first condition in relation to 
the candidate role entry; 

iii) if the given user entry does not meet the first condition in relation to the candidate 
role entry and the determined role entry has extra data identifying an extra scope, 
determining whether the given user entry meets the second condition in relation 
to the candidate role entry; and 

iv) repeating said i) through said iii) with other candidate roles entries until an end 
condition is met. 

29. (Previously Presented) The directory server system of claim 28, wherein the end condition 
comprises having performed said i) through said iii) with substantially all the applicable 
candidate role entries. 

6 
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30. (Previously Presented) The directory server system of claim 28, whsrein the given user 
entry belongs to a subtree of a top suffix of the tree structure, said ii) is performed for each 
role entry belonging to the subtree of said top suffix, and said iii) is performed for each role 
entry belonging to any subtree of any top suffix of the tree structure. 

31. (Currently Amended) A computer readable storage medium ha ving stor e d thoroon 
i n s tructions comprising software code stored thereon for: 

a) associating an existing role entry in a tree structure with a first user entry in the 
tree structure, wherein a directory server interacts with entries in the tree 
structure, and wherein the existing role entry defines a role and has an associated 
scope in the tree structure based on the existing role entry's, location in the tree 
structure according to a first predefined rule, said associating comprising 
attaching the role to the first user entry subject to a first condition comprising a 
role membership condition and the first user entry belonging to the associated 
scope; 

b) adding an attribute to the existing role entry having a special attribute name and 
being associated with an attribute value defining an extra scope in the tree 
structure for the existing role entry, wherein the attribute value identifies a 
designated location in the tree structure outside the existing role entry's 
associated scope, and further wherein the extra scope is based on the designated 
location according to a second predefined rule; and 

c) attaching the role of the existing role entry to a second user entry subject to a 
second condition comprising said role membership condition and the second user 
entry belonging to the extra scope. 

32. (Currently Amended) The computer readable storage medium of claim 31, wherein the 
existing role entry is a nested role entry defining at least one other role. 

33. (Currently Amended) The computer readable storage medium of claim 32, wherein the 
existing role entry has an attribute defining the at least one other role. 
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34. (Currently Amended) The computer readable storage medium of claim 31, wherein the role 
membership condition comprises a candidate user entry having an attribute designating the 
role defined by the existing role entry. 

35. (Currently Amended) The computer readable storage medium of claim 31, wherein the 
existing role entry has a role filter condition, and the role membership condition comprises 
one or more attributes of a candidate user entry meeting the role filter condition. 

36. (Currently Amended) The computer readable storage medium of claim 35 7 wherein the 
existing role entry has an attribute designating the role filter condition. 

37. (Cancelled) 

38. (Cancelled) 

39. (Currently Amended) The computer readable storage medium of claim 31, wherein the extra 
scope is defined as a subtree of the designated location. 

40. (Currendy Amended) The computer readable storage medium of claim 31, wherein the first 
predefined rule comprises defining the existing role entry's associated scope as a subtree of a 
parent of the existing role entry in the tree structure. 

41. (Currently Amended) The computer readable storage medium of claim 31, further 
comprising in s tructiona software code stored thereon for: 

4) responding to a request of whether a designated user entry has a given role by: 
dl) identifying a corresponding role entry corresponding i;o the given role; 
d2) determining whether the designated user entry meets the first condition in 

relation to the corresponding role entry; 
d3) if the designated user entry does not meet the first condition in relation to 

the corresponding role entry, determining whether the corresponding role 

entry has extra role data identifying an extra scope; and 
d4) if the corresponding role entry has extra role data, determining whether 

the designated user entry meets the second condition in relation to the 

corresponding role entry. 
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42. (Currently Amended) The computer readable storage medium ot claim 31, further 
comprising instruction s software code stored thereon for 

d) responding to a request for any user entries having a given role by: 

dl) identifying a corresponding role entry corresponding to the given role; 
d2) scanning the tree to identify any user entries meeting the first condition in 

relation to the corresponding role entry; and 
d3) if the corresponding role entry has extra role data identifying an extra 
scope, scanning the tree to identify any user entries meeting the second 
condition in relation to the corresponding role entry. 

43. (Currently Amended) The computer readable storage medium of claim 31, further 
comprising inatruotiono software code stored thereon for 

d) responding to a request for roles of a given user entry by: 
d 1 ) identifying a candidate role entry; 

d2) determining whether the given user entry meets the first condition in 
relation to the candidate role entry, 

d3) if the given user entry does not meet the first condition in relation to the 
candidate role entry and the candidate role entry has extra role data 
identifying an extra scope, determining whether the given user entry 
meets the second condition in relation to the candidate role entry; and 

d4) repeating said dl) through said d3) with other candidate role entries until 
an end condition is met. 

44. (Currently Amended) The computer readable storage medium of claim 43, wherein the end 
condition comprises having performed said dl) through said d3) with substantially all the 
applicable candidate role entries. 

45. (Currently Amended) The computer readable storage medium of claim 43, wherein the 
given user entry belongs to a subtree of a top suffix of the tree structure, said d2) is 
performed for each role entry belonging to the subtree of said top suffix, and said d3) is 
performed for each role entry belonging to any subtree of any top suffix of the tree structure. 



9 



PAGE 10/10 ^ RCVD AT 9/13/2006 6:34:24 PM [Eastern Daylight Time] " SVR:USPTO-EFXRF-2f20 " DNIS:2730716 " CSID:7132288778 " DURATION (mm-ss):03-04 



